<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>See below...</tt><br>
<blockquote cite="mid:481A4A9C.2070808@in.if.ua" type="cite">
<blockquote cite="mid:481A3B13.5000506@dds.nl" type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">I still don't understand your setup. The server has a leftnexthop
to its own network interface?
</pre>
</blockquote>
<pre wrap="">Actually, yes... Is this not good?
</pre>
</blockquote>
<pre wrap=""><!---->No, not good. Usually you don't need to explicitly set this parameter.
See man ipsec.conf.
</pre>
</blockquote>
<small>Without this parameter I used to loose any connectivity with
the
server (including ssh or ping) after IPSec connection had been
established...</small><br>
<blockquote cite="mid:481A3B13.5000506@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">eth1 is internal interface which does have real world IP addresses.
</pre>
</blockquote>
<pre wrap=""><!---->Why? It is not to be accessed from the outside, right?
</pre>
</blockquote>
<small>No, actually it should be accessed from outside. Even more -
we
have many machines with real world IPs in out internal network and many
of them also should be accessed from outside. We are using firewall to
limit this access of course...</small><br>
<blockquote cite="mid:481A3B13.5000506@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">Openswan listens to 68.68.12.1. L2TP server also listens to 68.68.12.1.
</pre>
</blockquote>
<pre wrap=""><!---->That means you want users on the internal network to securely access
the Internet?
</pre>
</blockquote>
<small>This is not the main wish - but it would be great to have such
possibility...</small><br>
<blockquote cite="mid:481A3B13.5000506@dds.nl" type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">What is it exactly that you want to achieve? Allow VPN users in
from the Internet to the internal network? Allow VPN users on
the internal (possibly untrusted such as wireless?) network out
to the Internet?
</pre>
</blockquote>
<pre wrap="">Ideally I want both... But currently I want to have VPN for external
(from Internet) users.
</pre>
</blockquote>
<pre wrap=""><!---->If so, then currently Openswan is listening on the wrong interface.
</pre>
</blockquote>
<small>Actually I started to think the same way... See below.</small><br>
<blockquote cite="mid:481A3B13.5000506@dds.nl" type="cite">
<pre wrap="">I don't know if you can support both scenarios at the same time.
I for one have not tested this. If you are just starting with
Openswan and L2TP, I'd say to forget about it at this stage.
</pre>
</blockquote>
<small>If I forget I will never learn it. I would like to keep
trying... for now.<br>
<br>
Have an update:<br>
<br>
Well... As I promised I have tried to specify another route for L2TP
traffic. However it did not help!<br>
<br>
On the other side... I have found many configurations in Google using
transport mode. And I was using tunnel mode... So I decided to give it
a try. In the transport mode the Openswan server complains:<br>
<br>
<font face="Terminus">route-host output: /usr/lib/ipsec/_updown:
doroute `ip route add 92.30.44.50/32 via 68.68.44.42 dev ipsec0 '
failed (RTNETLINK answers: Network is unreachable)</font><br>
<br>
I just thought that such route (if possible to set) would solve my
problem with L2TP... :) Seems you have mentioned in your doc that
Windows requires transport mode (I can be wrong)... So now I'm going to
try using eth0 as an interface for ipsec.<br>
</small></blockquote>
<tt>Okey, I did and now my VPN works! =)<br>
<br>
Thank you all very much! Special thanks to you, Jacco!<br>
<br>
Best regards,<br>
Andriy<br>
</tt>
</body>
</html>